FIX: Malware Scanning takes longer than expected in Microsoft Forefront Threat Management Gateway 2010 when you set the "Block files larger than (MB)" option to allow very large files

Article ID: 2518663 - View products that this article applies to.
Important   This article contains information that shows you how to help to lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, Microsoft recommends that you evaluate the risks that are associated with implementing this resolution in your particular environment. If you choose to implement this resolution, take any appropriate additional steps to help to protect your system.
Expand all | Collapse all

On This Page

SYMPTOMS

When you use Microsoft Forefront Threat Management Gateway (TMG) 2010 Malware Scanning, you can limit the size of files that are downloaded by using the Block files larger than (MB) option.

Note The Block files larger than (MB)option is on the Inspection Settings tab of the Malware Inspection dialog box.

If you set the value for this option so that TMG 2010 scans very large files, TMG Malware Scanning takes longer than expected. For example, a 4 gigabyte (GB) file can take as long as 30 minutes for the Malware Inspection engine to scan.

Note You cannot configure TMG Malware Scanning to perform a partial scan and to scan only the first few megabytes of downloaded files.
Back to the top | Give Feedback

RESOLUTION

Warning  This resolution may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. Microsoft does not recommend this resolution but is providing this information so that you can choose to implement this resolution at your own discretion. Use this resolution at your own risk.

To resolve this issue, install the software update that is described in the following Microsoft Knowledge Base article:
2517957
(http://support.microsoft.com/kb/2517957/ )
Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
This hotfix introduces a new setting, ScanMaxSizeOnlyIfExceeds. This setting changes the behavior of the Block files larger than (MB) configuration setting from being a limit on the maximum size of downloaded files to a partial scan limit in megabytes when you set ScanMaxSizeOnlyIfExceeds to True.

When ScanMaxSizeOnlyIfExceeds is set to True, no size limit is applied to downloaded files. However, when you download a file is larger than the value that is set in the Block files larger than (MB) option, only a portion of the file (equal to the size that is set in that option) is scanned.

The default setting of ScanMaxSizeOnlyIfExceeds is False. You can apply this setting at the Array level or at the Rule level. To enable the setting by using a script, select the appropriate script from the ones that are presented below, and then run it on one of the array members. You can also use the TMG Management Console to set the value of Block files larger than (MB) option.

Arrary level script

Copy the following script into Notepad, save the script with the name EnableMaxSizeScanAllowRule.vbs, and then at a command prompt run the script as follows:
cscript EnableMaxSizeScanAllowRule.vbs
Const SE_VPS_GUID = "{DFAEF493-C442-4F80-9622-5DA4143287D8}"
Const SE_VPS_NAME = "ScanMaxSizeOnlyIfExceeds"
Const SE_VPS_VALUE = true

Sub SetValue()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    set malwareInspectionSettings = array.MalwareInspectionSettings
    set scannerSettings = malwareInspectionSettings.ScannerSettings
    Set VendorSets = scannerSettings.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue

Rule level script

Copy the following script into Notepad, save the script with the name EnableMaxSizeScanAllowRule.vbs, and then at a command prompt run the script as follows:
cscript EnableMaxSizeScanAllowRule /RuleName:”MyRule
Replace the placeholder MyRule with the name of the relevent TMG Access rule.
Const SE_VPS_GUID = "{DFAEF493-C442-4F80-9622-5DA4143287D8}"
Const SE_VPS_NAME = "ScanMaxSizeOnlyIfExceeds"
Const SE_VPS_VALUE = true

Sub SetValue()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    ruleName= WScript.Arguments.Named("RuleName")
    set rule = array.ArrayPolicy.PolicyRules.Item(ruleName)


    set malwareInspectionSettings = rule.MalwareInspectionProperties
    set scannerSettings = malwareInspectionSettings.ScannerSettings
    Set VendorSets = scannerSettings.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue




To revert the changes that you made by using the Array script or the Rule script, and to revert to the default behavior of the Block files larger than (MB) setting, edit the relevant script and change the following line from:
Const SE_VPS_VALUE = true
To:
Const SE_VPS_VALUE = false
Then, rerun the script using the appropriate instructions.
Back to the top | Give Feedback

MORE INFORMATION

Important! Please be aware that, when you set ScanMaxSizeOnlyIfExceeds to False, you introduce a security risk. This occurs because a large file that contains malware in the unscanned section of the file could be passed by TMG to the client.

Microsoft recommends full file scanning. Therefore, we advise that you use this setting only after you carefully consider the risk and only if you use a defense-in-depth approach to malware detection, including appropriate client-side anti-malware software.
Back to the top | Give Feedback

Properties

Article ID: 2518663 - Last Review: June 15, 2011 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1, when used with:
    • Microsoft Forefront Threat Management Gateway 2010 Enterprise
    • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
kbbug kbfix kbqfe kbexpertiseinter kbsurveynew KB2518663
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top